As the Internet and other networks have become commonplace, online shopping, content services, and other online services have been increasing. In an ordinary online service, a service providing apparatus that provides the user with a service and a client device that performs user authentication for the service providing apparatus are connected to a network. The user performs user authentication to the service providing apparatus through the client device. The service providing apparatus then provides a service based on the result of the user authentication.
Password authentication has become a widespread user authentication method that can be easily implemented. To provide improved security by password authentication, a different password must be specified for each service, and the password must be as long as possible. Then, the user has to go through the trouble of memorizing all the passwords specified for the services. Actually, the user is likely to specify a common password or a short password that is easy to memorize, making it difficult to ensure security. Moreover, password authentication has a high risk of password leakage by phishing or the like.
A technology combining password authentication with an authentication method based on a public key cryptosystem (public key authentication) has been proposed. For example, in a user authentication system disclosed in Patent literature 1, a terminal device, a business server, and a proxy authentication feature are connected to a network. When the user uses the business server through the terminal device, the proxy authentication feature authenticates the user using the terminal device in place of the business server and, if the validity is verified, a series of processes is executed in the business server. The proxy authentication feature performs authentication using user authentication information such as the user ID and the password. The proxy authentication feature further receives from the terminal device a digital signature (hereafter simply “signature”) calculated for a session ID sent from the proxy authentication feature to the terminal device, by using the private key of the terminal device, and verifies the signature, thereby performing stronger authentication. By using a single proxy authentication feature for authentication in a plurality of business servers, charges for using the business servers can be added up and collected by proxy. By adding the proxy authentication feature, the business servers can be used without modification.
Patent literature 1: Japanese Patent Application Laid Open No. 2002-132727